Difference between revisions of "Pangolin (PNG)"

From CryptoWiki

 
Line 12: Line 12:
*[[Bug bounty]] program can be found [https://hackenproof.com/avalanche/avalanche-general here] (15-7-2021) Is 100k or over and is an [https://docs.defisafety.com/finished-reviews/pangolin-process-quality-review#audits active program]. [https://www.defisafety.com/pqrs/425 Update] (21-3-2022): ''"No bug bounty program is offered. While a subsection is created titled “Bug Bounty”, the page is blank and states “coming soon”."''
*[[Bug bounty]] program can be found [https://hackenproof.com/avalanche/avalanche-general here] (15-7-2021) Is 100k or over and is an [https://docs.defisafety.com/finished-reviews/pangolin-process-quality-review#audits active program]. [https://www.defisafety.com/pqrs/425 Update] (21-3-2022): ''"No bug bounty program is offered. While a subsection is created titled “Bug Bounty”, the page is blank and states “coming soon”."''
*Scored [https://www.defisafety.com/pqrs/425 51%] on [[DeFi Safety]] (21-3-2022):
*Scored [https://www.defisafety.com/pqrs/425 51%] on [[DeFi Safety]] (21-3-2022):
''"[[Contract]] [https://snowtrace.io/address/0xe54ca86531e17ef3616d22ca28b0d458b6c89106#code PangolinRouter] is used over 100 times a day. No testing found in Pangolin's [[GitHub]] repository. Although there is testing of libraries and third-party contracts (such as [[ERC20]].sol), there is virtually no visible testing of Pangolin's executing [[smart contracts]] (Factory, router, mini chef, [[staking]], etc). There is no visible code coverage for any of the Pangolin smart contracts. There is no visible test report of any kind in Pangolin's documentation and GitHub repositories. Pangolin has not undergone a [[Formal Verification]] test. Code is [[Fork|forked]] from [[Uniswap (UNI)|Uniswap]] V2 which was audited however the link to the audit does not work (404). Recently, Pangolin has been [https://docs.pangolin.exchange/pangolin-verified/security audited multiple times] by Halborn, in which changes were identified, addressed and solved."''
''"[[Contract]] [https://snowtrace.io/address/0xe54ca86531e17ef3616d22ca28b0d458b6c89106#code PangolinRouter] is used over 100 times a day. No testing found in Pangolin's [[GitHub]] repository. Although there is testing of libraries and third-party contracts (such as [[ERC20]].sol), there is virtually no visible testing of Pangolin's executing [[smart contracts]] (Factory, router, mini chef, [[staking]], etc). There is no visible code coverage for any of the Pangolin smart contracts. There is no visible test report of any kind in Pangolin's documentation and [[Github|GitHub]] repositories. Pangolin has not undergone a [[Formal Verification]] test. Code is [[Fork|forked]] from [[Uniswap (UNI)|Uniswap]] V2 which was audited however the [[LINK|link]] to the audit does not work (404). Recently, Pangolin has been [https://docs.pangolin.exchange/pangolin-verified/security audited multiple times] by Halborn, in which changes were identified, addressed and solved."''


With the [https://t.me/c/1453353094/7917 comment]:  "T''his Top 10 [[Avalanche (AVAX)|Avalanche]] [[Decentralized Exchange (DEX)|DEX]] should go to greater lengths in documenting the software capabilities of its protocol. Frontend guides are a great, but we want more of that juicy dev stuff. Similarly, Pangolin seemingly lacks the will to document the full extent of their testing suites. We found plenty of library and third-party [[smart contract]] testing, but barely any that focus directly on Pangolin's executing smart contracts. Even so, Pangolin does a decent job at detailing its governance modules. Although it could be more explicit, it is certainly present, and many [[AVAX]] protocols do not offer this luxury. With numerous audits, these two aspects of the DEX are certainly redeeming. In the end, however, we simply wish that Pangolin increasingly document the capabilities of its software and testing thereof. In general, we think that the protocol would benefit a documentation revamp in order to reassert its scaly defenses. Plz do answer us sometime."''
With the [https://t.me/c/1453353094/7917 comment]:  "T''his Top 10 [[Avalanche (AVAX)|Avalanche]] [[Decentralized Exchange (DEX)|DEX]] should go to greater lengths in documenting the software capabilities of its protocol. Frontend guides are a great, but we want more of that juicy dev stuff. Similarly, Pangolin seemingly lacks the will to document the full extent of their testing suites. We found plenty of library and third-party [[smart contract]] testing, but barely any that focus directly on Pangolin's executing smart contracts. Even so, Pangolin does a decent job at detailing its governance modules. Although it could be more explicit, it is certainly present, and [[MANY|many]] [[AVAX]] protocols do not offer this luxury. With numerous audits, these two aspects of the DEX are certainly redeeming. In the end, however, we simply wish that Pangolin increasingly document the capabilities of its software and testing thereof. In general, we think that the protocol would benefit a documentation revamp in order to reassert its scaly defenses. Plz do answer us sometime."''
*Previously scored a [https://defisafety.com/2021/07/15/pangolin/ 34%] (15-7-2021):
*Previously scored a [https://defisafety.com/2021/07/15/pangolin/ 34%] (15-7-2021):


Line 23: Line 23:
===Bugs/Exploits===
===Bugs/Exploits===


* From a [https://twitter.com/shunduquar/status/1534989160381136909 thread] (10-6-2022):
''"So turns out that [[Trader Joe (JOE)|Trader Joe]] was exploited for ~$1M  and this was kept a secret. Later, the same exploit was used against Pangolin to steal ~$300K of protocol fees. And the contract was audited by [[Halborn]]."''
*[https://www.coindesk.com/avalanche-developers-rush-client-patch-as-bug-slows-avalanche-transactions From] [[CoinDesk]] (12-2-2021):
*[https://www.coindesk.com/avalanche-developers-rush-client-patch-as-bug-slows-avalanche-transactions From] [[CoinDesk]] (12-2-2021):


Line 30: Line 33:


* [https://www.defisafety.com/pqrs/425 From] [[DeFi Safety]] (21-3-2022):
* [https://www.defisafety.com/pqrs/425 From] [[DeFi Safety]] (21-3-2022):
''"None of Pangolin's executing smart contracts, save for the protocol [[fees]], are explicitly labelled as upgradeable or [[immutable]]. Pangolin's [[Multi-Signature|MultiSig]] ownership is [https://docs.pangolin.exchange/pangolin-verified/multisig-members detailed]. Some smart contract change capabilities are identified in the Pangolin documentation. No pause control or a similar function is identified within the Pangolin documentation. A [[timelock]] is identified multiple times within Pangolin's [https://docs.pangolin.exchange/github/governance#deployment-addresses documentation], and a duration is identified within the governance forum. Pangolin's timelock has a duration of one week."''
''"None of Pangolin's executing smart contracts, save for the protocol [[fees]], are explicitly labelled as upgradeable or [[immutable]]. Pangolin's [[Multi-Signature|MultiSig]] ownership is [https://docs.pangolin.exchange/pangolin-verified/multisig-members detailed]. Some [[Smart Contract|smart contract]] change capabilities are identified in the Pangolin documentation. No pause control or a similar function is identified within the Pangolin documentation. A [[timelock]] is identified multiple times within Pangolin's [https://docs.pangolin.exchange/github/governance#deployment-addresses documentation], and a duration is identified within the governance forum. Pangolin's timelock has a duration of one week."''
*[https://docs.defisafety.com/finished-reviews/pangolin-process-quality-review#audits According] to [[DeFi Safety]], [[contracts]] are '[https://gov.pangolin.exchange/t/how-governance-works/1082/2 clearly labelled] as upgradable' (15-7-2021) and:
*[https://docs.defisafety.com/finished-reviews/pangolin-process-quality-review#audits According] to [[DeFi Safety]], [[contracts]] are '[https://gov.pangolin.exchange/t/how-governance-works/1082/2 clearly labelled] as upgradable' (15-7-2021) and:



Latest revision as of 03:03, 13 June 2022

One of the main DEXs on Avalanche

Basics

  • Started in / Announced on:
  • Based in:
  • Mainnet release:

History

Audits & Exploits

  • Bug bounty program can be found here (15-7-2021) Is 100k or over and is an active program. Update (21-3-2022): "No bug bounty program is offered. While a subsection is created titled “Bug Bounty”, the page is blank and states “coming soon”."
  • Scored 51% on DeFi Safety (21-3-2022):

"Contract PangolinRouter is used over 100 times a day. No testing found in Pangolin's GitHub repository. Although there is testing of libraries and third-party contracts (such as ERC20.sol), there is virtually no visible testing of Pangolin's executing smart contracts (Factory, router, mini chef, staking, etc). There is no visible code coverage for any of the Pangolin smart contracts. There is no visible test report of any kind in Pangolin's documentation and GitHub repositories. Pangolin has not undergone a Formal Verification test. Code is forked from Uniswap V2 which was audited however the link to the audit does not work (404). Recently, Pangolin has been audited multiple times by Halborn, in which changes were identified, addressed and solved."

With the comment: "This Top 10 Avalanche DEX should go to greater lengths in documenting the software capabilities of its protocol. Frontend guides are a great, but we want more of that juicy dev stuff. Similarly, Pangolin seemingly lacks the will to document the full extent of their testing suites. We found plenty of library and third-party smart contract testing, but barely any that focus directly on Pangolin's executing smart contracts. Even so, Pangolin does a decent job at detailing its governance modules. Although it could be more explicit, it is certainly present, and many AVAX protocols do not offer this luxury. With numerous audits, these two aspects of the DEX are certainly redeeming. In the end, however, we simply wish that Pangolin increasingly document the capabilities of its software and testing thereof. In general, we think that the protocol would benefit a documentation revamp in order to reassert its scaly defenses. Plz do answer us sometime."

  • Previously scored a 34% (15-7-2021):

"They have not done any audits because they are a fork of Compound and Uniswap: two very audited protocols.

  • Since then they did get audits (2-2022) which can be reflected in the above updated score.

Bugs/Exploits

"So turns out that Trader Joe was exploited for ~$1M and this was kept a secret. Later, the same exploit was used against Pangolin to steal ~$300K of protocol fees. And the contract was audited by Halborn."

"The Avalanche network has come to a near halt after “a bug in the cross-chain functionality” code that enables the Avalanche protocol and the Ethereum Virtual Machine (EVM) to speak with each other failed under high loads, according to the Avalanche developer team on Reddit. The release of Avalanche‘s newest decentralized finance (DeFi) product, money market Pangolin, snowballed into “insane load” for the network, which further “triggered a very low probability bug that produced a bad state in the network,” the team said on Reddit. The ability to send transactions has crawled to a halt with some users reporting wait times of up to four hours for finalizing a transaction. Funds are safe, however."

Governance

Admin Keys

"None of Pangolin's executing smart contracts, save for the protocol fees, are explicitly labelled as upgradeable or immutable. Pangolin's MultiSig ownership is detailed. Some smart contract change capabilities are identified in the Pangolin documentation. No pause control or a similar function is identified within the Pangolin documentation. A timelock is identified multiple times within Pangolin's documentation, and a duration is identified within the governance forum. Pangolin's timelock has a duration of one week."

"No Pause Control info in their documentation and no testing evidence found in their GitHub."

DAO

From the docs (16-7-2021):

"Pangolin governance will be live three months after launch and will enable several key actions, including:

  1. Modifications to the liquidity pools
  2. Fee Switch"

Treasury

Token

Launch

Token Allocation

Utility

Other Details

Stablecoin

Coin Distribution

Technology

"With 217 commits and 4 branches, Pangolin's main repository strikes fear in the heart of all ants."

How it works

Fees

Upgrades

Mining

Staking

Validator Stats

Liquidity Mining

Scaling

Interoperability

Other Details

Oracle Method

"Pangolin explains why they do not use an Oracle. Pangolin does not document any front running mitigation strategies. Pangolin does not document any flash loan/liquidity attack mitigation strategies."

Privacy Method

Compliance

Their Other Projects

Roadmap

  • Can be found [Insert link here].

Usage

Projects that use or built on it

Competition

Trader Joe and DEXs on Avalanche in particular and also on other chains in general.

Pros and Cons

Pros

Cons

Team, Funding, Partners

Team

  • Full team can be found here.

Funding

Partners

(:

Knowledge empowers all and will help us get closer to the decentralised world we all want to live in!

Making these free wiki pages is fun but takes a lot of effort and time.

If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.

ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31